f926b4d61a
Here is my first attempt to manage secrets when I deploy onto a NixOS machine. Background: When I develop, I use direnv, which reads an .envrc file in which I define my secrets. My secrets are read from `pass` using a pattern like this... ```shell secret_value="$(pass show path/to/secret)" ``` ...Thus far, I've found this pattern convenient. `pass show` invokes GPG, which asks me for a password to authenticate. This means that when I cd into a directory with an .envrc file using this pattern, I may be prompted by GPG for a password. When I'm not, it's because gpg-agent is still caching my password. This works for development, but I currently do not know how to use direnv for deployments. Here is what I'm using until I find a more convenient solution: - Store the secrets in /etc/secrets on socrates. Ensure that the /etc/secrets directory and its contents are only readable by root. - Use systemd's Environment and NixOS's builtins.readFile to read the files in /etc/secrets when I can `sudo nixos-rebuild`. Ideally I could call a function like `builtins.readFromPasswordStore` within configuration.nix. This would allow me to skip the step where I run... ```shell > ssh socrates > pass show finance/monzo/client-id | sudo tee /etc/secrets/monzo-client-id > pass show finance/monzo/client-secret | sudo tee /etc/secrets/monzo-client-secret > # etc ``` ...I don't know how to manage secrets using NixOS, but at least this is one answer. |
||
|---|---|---|
| advent-of-code | ||
| blog | ||
| clojure | ||
| configs | ||
| deploy | ||
| emacs | ||
| fish | ||
| go | ||
| gopkgs | ||
| haskell-file | ||
| java | ||
| lisp | ||
| monzo_ynab | ||
| nixos | ||
| org | ||
| scratch | ||
| third_party | ||
| tools | ||
| travel_hitlist | ||
| .envrc | ||
| .gitignore | ||
| default.nix | ||
| elisp-conventions.md | ||
| keybindings.md | ||
| Makefile | ||
| README.md | ||
| shell.nix | ||
| snippets.md | ||
| utils.nix | ||
briefcase
Welcome to my briefcase: my monorepo.
I'm attempting to amass a collection of packages that span a variety of languages while minimizing the costs of sharing the code. This also includes configuration for things like emacs, tmux, ssh, and other tools.
Installation (Deprecated)
The installation instructions here are deprecated. I'd like to manage packaging and installing with Nix, but that is only partially supported at the moment.
wpgtk and gvcci
$ apti python-pip3
$ gclone deviantfero/wpgtk
$ cd ..
$ gclone FabriceCastel/gvcci
- TODO: Integrate Emacs themes into wpgtk.
- TODO: Integrate Vim themes into wpgtk.
- TODO: add these to the install script
$ ln -s ~/Dropbox/.password-store ~/.password-store
$ ln -s ~/Dropbox/bin ~/bin
$ import_gpg $DOTFILES/configs/shared/gpg/.gnupg/exported
- Clipmenu
Clipmenu is a service to store a history of copied strings.
Install it as:
$ cd ~/programming && g clone cdown/clipmenu
- TODO: Include
~/.config/systemd/userinconfigs/shared. - TODO: Obviate installation.
Ensure that it runs on startup:
$ cd ~/programming/clipmenu
$ cp clipmenu clipmenud clipdel ~/bin # You may not need to do this step.
$ vim init/clipmenud.service
# Change the ExecStart line to point to ~/bin/clipmenud
$ cp init/clipmenud.service ~/.config/systemd/user/clipmenud.service
$ systemctl --user start clipmenud
$ systemctl --user enable clipmenud # This step may be optional.
$ reboot
$ systemctl --user status clipmenud # Verify installation worked.
- Install Dropbox
$ cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64" | tar xzf -
$ crontab -e # add the following line...
@reboot ~/.dropbox-dist/dropboxd 2>&1 >/tmp/dropbox.log
$ reboot # 1/3 verify installation
$ pgrep dropbox # 2/3 verify installation
$ dropbox.py status # 3/3 verify installation
- Authorize computer to access GitHub
$ ssh-keygen -t rsa -b 4096 -C 'wpcarro@gmail.com'
$ eval $(ssh-agent -s)
$ ssh-add ~/.ssh/id_rsa
$ xclip -sel clip <~/.ssh/id_rsa.pub
$ browse github.com # paste ssh public key in settings
- Install Vundle, nix-env
$ ln -s ~/Dropbox/Vundle.vim ~/.config/nvim/bundle/Vundle.vim
$ cat ~/Dropbox/install_nix.sh | sh
$ for p in $(cat nix-env.txt); do
> nix-env -i "$p"
> done
- Install dotfiles
- TODO: include steps 2-4 in the
make installcommand.
Missing the following dependencies:
stowneovimbatexafasdopamghcupripgrepfzffdhubpass
$ cd ~/Dropbox/dotfiles
$ DOTFILES="$(pwd)" make install
- Install Node dependencies
For now, this deserves its own section since it isn't automated.
$ gclone tj/n # clone repo
$ sudo make install # build from source
$ n stable # install the stable version of node
- TODO: support dependencies like terminal themes
SSHFS
TODO: add explanation about unison, rsync, etc.
SSHFS enables seamless file transfers from your local machine to a remote machine.
Usage
Assuming your remote machine is configured in your ~/.ssh/config (see above),
you can mount your remote machine's home directory on your local machine like
so:
$ mkdir ~/ec2
$ sshfs ec2:/home/ubuntu ~/ec2 -o reconnect,follow_symlinks
Now your remote machine's home directory can be accessed using the ~/ec2
directory. This directory can be treated as if it were an ordinary local
directory. To illustrate how easy it is to use, let's install Vundle onto our
remote machine.
$ git clone https://github.com/VundleVim/Vundle.vim.git ~/ec2/.vim/bundle/Vundle.vim
Voila! We now have Vundle installed on our ec2 instance without needing to
manually SSH into that machine.
GnuPG
To install GPG run the following:
$ import_gpg
TODO: create a job that runs this periodically.
$ export_gpg
Reference
- sec: secret key
- pub: public key
- ssb: secret sub-key
- sub: public sub-key
Terminals and Fonts
Any terminal or font I choose should pass the following checks:
$ test_true_color
$ test_16_colors
$ test_text_formatting
$ test_unicode
$ test_emojis
Ligatures
If using a font with ligature (e.g. Hasklig) assert that your terminal also support ligatures.